Dial'S' For Security
Most people take for granted the security built into today's cellular services. While not uncrackable, it serves the general public--obtaining a radio that can tune into the cellular bands is expensive. In contrast, today's Vo-Fi systems are quite easy to tap; a $25 wireless network card at your favorite technology big-box store and a free copy of Wireshark, and you're listening to your boss' most intimate conversations. Without encryption at Layer 2, Layer 3 or Layer 7, it's all in the clear.
We don't expect to see Vo-Fi handsets with built-in VPN support soon, if ever, and the VoIP space has been slow to implement standards such as SRTP that encrypt audio traffic. So, we need to lean on Layer 2 encryption standards such as WEP, WPA and WPA2. All enterprise Vo-Fi players offer Layer 2 encryption based on WEP, but anything more advanced has twists and turns.
When SpectraLink launched its NetLink e340/i640 handsets in 2003, it put most of the cryptographic support into the handset's hardware, based on where IEEE 802.11i was that time. SpectraLink did not announce WPA and WPA2 support until early 2005, several months after the Wi-Fi Alliance introduced the WPA2 certification. Its NetLink line supports only preshared keys, so while conversations may be secure, key management for larger shops remains a challenge. If a new key must be deployed, be prepared to reach out and touch every handset.
Cisco supports LEAP in its handsets, but LEAP is semi-proprietary--the client piece can be licensed, but not the AP side. Moreover, the introduction of the asleap attack by Joshua Wright (now at Aruba) meant that complex passwords had to be tied to each user name; otherwise, a person's credentials could be recovered. One way to mitigate this, of course, is to assign each phone its own user name and password, independent of the actual user. It's likely Cisco wasn't able to justify immediately updating the hardware to include AES support when IEEE 802.11i was ratified in mid-2004. Although its newest handset supports WPA/WPA2-PSK as well as LEAP and EAP-FAST, we saw no mention of other non-Cisco-originated EAP types.
Vocera initially launched with WEP support. It's since added LEAP, WPA-PSK and PEAP, but the company told us customers prefer WEP for its faster roam times. Vocera's badge-like device lacks WPA2 because its Wi-Fi chipset doesn't include hardware support for AES.
Vocera added that only within the last few months has it seen wireless chipsets that combine the latest security capabilities--WPA2, 802.11b/g--with the low power demands and compactness it prizes. At the same time, the form factor and limited GUI of Vocera's badge makes entering user credentials especially challenging. Even the preshared key for WPA requires entering a calculated 64-character alphanumeric value rather than the normal eight-to-63-character passphrase.
Vocera's other twist is that it encrypts audio traffic with its own proprietary schemes, such that even if the 802.11 frames were decrypted the conversation would still not be laid bare.
Hitachi has, admittedly, a few security skeletons in its closet. A quick check of the Wireless Vulnerabilities and Exploits site (wve.org) reveals five issues, which the vendor claims have long since been addressed. Still, Hitachi's support for standards-based security is outstanding: Besides WEP and WPA-PSK, it also supports EAP-MD5, EAP-TLS, EAP-TTLS and EAP-PEAP within the 802.1X framework. The IP-5000 handset lacks WPA2 support, but Hitachi says it will enable that in Q2 of this year.
Again, as with QoS and signaling, each incumbent vendor has its own security handicaps. While some can be explained away due to hardware limitations, others--notably Cisco's lack of wider EAP support--only demonstrate their preference toward platform lock-in and limiting choice. As with SIP, it's time to embrace the security standards of the present and give admins the tools to integrate Vo-Fi into their standard security architectures.
